Revision as of 15:43, 25 September 2009

UPDATE: I have proposed a "Sticky" Marking When Smart Highlighting enhancement to the Notepad++ team: when one is selecting a word character-by-character, allow one to do this multiple times, without clearing the previous selected (and now smart-highlighted) sets of words. Then, clear all marks when double click on any other word. Double-click smart-highlighting functionality remains the same as it was before. This allows one to follow variable assignments through the code more easily. This change allows one to select the original variable, then select a new variable that the old variable is now assigned to, and so on. If you're interested in the details contact mike.boberski@owasp.org. If you'd like an already built version with the changes to copy over after you've installed, you can find it here

Tools such as source code review tools are expensive. Let me rephrase. They cost as much as a house! Feeling like you just stepped into a survivalist reality show, after being asked to perform a review using for example OWASP ASVS? You need tools, and you need them now. You also need tools more useful than for example RATS (Rough Auditing Tool for Security).

Tools such as RATS even if their rules are beefed up are still not a fast way to do a code review. If you accept the premise that when performing a code review, one should do at least a minimal check for both false positives and false negatives, then regardless of tool, you still need to go through each and every source file even if only for a cursory inspection. This is where source code review tools shine, their IDE-like GUIs allow you to jump through the code interactively in a very efficient way. This is why tools such as RATS are pretty much useless. You need to be able to easily jump through the code and follow data from sources to sinks a lot more than you need an initial count of some huge number of potential findings!

With the above in mind, here's one way to fashion a basic, efficient source code review tool (in this case, for PHP source) using a little bit of research and some freely-available tools in perhaps unexpected ways. The basic idea is to use Notepad++ and Its “User Defined Language” Feature. It can be downloaded here: http://notepad-plus.sourceforge.net So, go and do that. The ability to define one’s language using Notepad++ configuration interfaces, its syntax highlighting, and the ability to highlight variables throughout by default after selecting them, provides the basis for a way to search file-by-file for security-related flaws. E.g. create a new “PHP 4, 5 SCA” language. You'll also want to use a grep tool and also open up the PHP web site so you can search for function/language definitions http://us2.php.net/manual/en/ Also, install the “Explorer” plugin (copy to its plugins directory, download from http://sourceforge.net/project/showfiles.php?group_id=189927&package_id=223667 then enable it using the “Plugins” menu

Then, based on looking for function and other keywords related to input, SQL, sessions, URLs, files, etc. one can mine documents for relevant keywords, e.g.:

Then, when one opens a file using the new "language", starting from the suspected highlighted finding, one can double click on the parameters and return values of suspect functions, then keep selecting variables and return values as you trace through the code, using the highlighting all instances function and so on to expidite your review.